Legislators, regulators, and investors are placing increasing mandates on businesses to improve transparency and controls over financial and compliance reporting. Laws such as the U.S. Sarbanes Oxley Act (“SOX”), Canadian Bill 198, OMB Circular 123A, and Japanese SOX, are forcing organizations to adopt rigorous approaches to documenting and testing internal processes and controls. The progression of financial compliance regulation that began with SOX has evolved from a bottom-up, controls-coverage approach toward a top-down approach taking risk management into consideration. For example, Auditing Standard No. 5, released by the Public Company Accounting Oversight Board, encourages a top-down approach, in providing guidance to auditors engaged to perform an audit of management's assessment of the effectiveness of internal control over financial reporting.
In the context of a financial audit, a risk is defined as the chance of an event occurring that will have a positive or negative impact on the objectives of an organization. A control is defined as an existing process, policy, device, practice, or other action that acts to minimize negative risk or enhance positive opportunities. A business process and its risks and controls can be reviewed periodically to determine how they are defined and implemented. An assessment can be used to evaluate the validity and effectiveness of controls, risks, and the business process to find out if any element is missing, out of place, or has changed. An assessment may be performed on one or more risks, one or more controls, or a combination of risks and controls.
In previous financial audit systems, the process of determining a scope of a financial audit is generally done manually, and determining the scope is accomplished using spreadsheets and financial statements. All accounts of an audit are listed with their accompanying balances in a spreadsheet or financial statement and a user manually iterates through the information to identify the accounts that are within the scope of the audit.